GDPR – scaremongering abounds
There have been a lot of articles going around over the last year or so talking about GDPR. Even more now that the deadline is just over a month away. And most of these articles talk about how much work will be involved in getting GDPR ready, and how big and scary the fines are. And frankly, we think that’s mostly scaremongering. So today, we wanted to look take a more positive spin on GDPR, and show you that it’s not all doom and gloom after all.
Let’s Talk Fines
First, let’s get something straight – yes, the fines for breaching GDPR are pretty steep. They have to be, or they wouldn’t be much of a deterrent. But given just how much change will have to happen for most businesses to be compliant, you probably won’t face these fines if you miss something. Those big numbers are generally reserved for companies who are deliberately ignoring or misusing GDPR – not people who just didn’t manage to get something done in time. The big €20 million isn’t going to crash down on everyone equally. In fact, the ICO have complete control over the level of fine issued, and will consider the following when calculating it:
- The nature, gravity and duration of the infringement.
- The intentional or negligent character of the infringement.
- Any action taken by the organisation to mitigate the damage suffered by individuals.
- Technical and organisational measures that have been implemented by the organisation.
- Any previous infringements by the organisation or data processor.
- The degree of cooperation with the regulator to remedy the infringement.
- The types of personal data involved.
- The way the regulator found out about the infringement.
- The manner in which the infringement became known to the supervisory authority. In particular, whether and to what extent the organisation notified the infringement.
- Whether, and if so to what extent, the controller or processor notified the infringement.
- Adherence to approved codes of conduct of certification schemes.
So you see, if you’re genuinely trying to be compliant, the likelihood is you won’t be hit with the big fines. In fact, many experts believe that the number of fines issued in year 1 will be less than 3% of what should be issued. So stop worrying so much about that enormous scary number, and instead focus on the positives.
You’re Probably Already Compliant
Or at least most of the way there. The thing is, GDPR might read like a radical change to the way privacy laws work, but in actual fact there aren’t too many differences. If you’re compliant with the current Data Protection Act, odds are you’re most of the way there with GDPR. The main game changer is the shift of focus from assumed consent to direct consent – meaning all of the people you hold data on need to have actively consented to give it. This might mean you need to change the wording on some of your online forms and paperwork to reflect it. You might also need to do a bit of housekeeping to clear out any old data, and gain consent for the bits you want to keep. If you’re still not sure what you need to do to be compliant, the Information Commissioner’s Office (ICO) has a handy checklist, which you can download here.
Do Some Spring Cleaning
It is springtime after all (despite what the weather thinks), and with GDPR around the corner it’s the perfect time to do some spring cleaning to get ready. Right now, you’re probably holding on to more data than you’re ever going to use, for the simple reason that you’ve never really needed to get rid of it. But GDPR requires you to ditch any data you don’t have a use for – so it’s time to get clearing. Anything you don’t need any more can go, along with anything you don’t have a legitimate interest in. For clarity – legitimate interest is an official term from the ICO that compliments the consent rules. Just make sure you’re shredding anything that isn’t needed any more to keep the data secure. While you’re at it, you might want to think about putting all of the data you’re keeping into a document management programme or a digital database so that it’s easier to protect and find. This process won’t only help you stay compliant, but it will cut your costs too. And it puts you on your way to a paperless office – 3 benefits in one!
The point we’re trying to get to is this: GDPR doesn’t have to be scary. It’s not some big looming thing that requires you to completely overhaul how your business works just to avoid crippling fines. Sure, it might take a day or two of your time to sit down and work out what you need to do and then do it (or outsource if you can’t do it all alone), but it’s nothing to panic about.
This article was written by Zahir Mohammed of Herefords Solicitors. At Herefords they are working with a lot of businesses to evaluate their contracts and HR departments for GDPR compliance, and most are coming up around 70% compliant already. If you think you need help working out if you’re compliant, just get in touch with the team at Herefords today.